PAYMENT TERMINAL SHARING

US 20160078437A1
Filed: 09/12/2014
Published: 03/17/2016
Est. Priority Date: 09/12/2014
Status: Active Grant

First Claim

Patent Images

1. A method of configuring a payment terminal to be shared by a plurality of operators with cryptographic segregation between different operators, the method comprising:

transmitting a master-transport key from a payment provider to a controlling entity associated with the payment terminal in a confidentiality-secured manner;

deriving, both at the payment provider and at the controlling entity, a transport key from the master-transport key using an identification number of the payment terminal;

symmetrically encrypting, by the controlling entity, the transport key using an access key specific to the payment terminal;

transmitting the encrypted transport key to the payment terminal, wherein the controlling entity controls usage of the payment terminal in an operator-selective manner by the transmission of the encrypted transport key, and the master-transport key is specific to one of the operators;

decrypting the encrypted transport key at the payment terminal with the access key;

deriving, by the payment provider, a first encryption key from a base-derivation key using the identification number of the payment terminal;

symmetrically encrypting the first encryption key with the transport key;

transmitting the encrypted first encryption key to the payment terminal;

decrypting the encrypted first encryption key at the payment terminal with the decrypted transport key; and

deriving, both at the payment provider and at the payment terminal, a second encryption key from the first encryption key using a transaction-specific number associated with a payment transaction, when performing the payment transaction with the payment terminal,wherein the transport key, the first encryption key, and the second encryption key are specific to one of the operators and to the payment terminal, and the base-derivation key is specific to one of the operators.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products for payment terminal sharing. A payment terminal is configured to become usable as a payment terminal shared by a plurality of operators with cryptographic segregation between the different operators of the payment terminal. An operator- and terminal-specific transport key is provided to the payment terminal. An operator- and terminal-specific initial-encryption key is derived, by the payment provider, from an operator-specific base-derivation key using the terminal-identification number, or an additional identification number of the payment terminal. The operator- and terminal-specific initial-encryption key is transmitted to the payment terminal, and is decrypted at the payment terminal. An operator- and transaction-specific encryption key is derived, both at the payment provider and the payment terminal, from the operator- and terminal-specific initial-encryption key using a transaction-specific number associated with this transaction, when performing a transaction with the payment terminal.

Citations

21 Claims

1. A method of configuring a payment terminal to be shared by a plurality of operators with cryptographic segregation between different operators, the method comprising:
- transmitting a master-transport key from a payment provider to a controlling entity associated with the payment terminal in a confidentiality-secured manner;
  
  deriving, both at the payment provider and at the controlling entity, a transport key from the master-transport key using an identification number of the payment terminal;
  
  symmetrically encrypting, by the controlling entity, the transport key using an access key specific to the payment terminal;
  
  transmitting the encrypted transport key to the payment terminal, wherein the controlling entity controls usage of the payment terminal in an operator-selective manner by the transmission of the encrypted transport key, and the master-transport key is specific to one of the operators;
  
  decrypting the encrypted transport key at the payment terminal with the access key;
  
  deriving, by the payment provider, a first encryption key from a base-derivation key using the identification number of the payment terminal;
  
  symmetrically encrypting the first encryption key with the transport key;
  
  transmitting the encrypted first encryption key to the payment terminal;
  
  decrypting the encrypted first encryption key at the payment terminal with the decrypted transport key; and
  
  deriving, both at the payment provider and at the payment terminal, a second encryption key from the first encryption key using a transaction-specific number associated with a payment transaction, when performing the payment transaction with the payment terminal,wherein the transport key, the first encryption key, and the second encryption key are specific to one of the operators and to the payment terminal, and the base-derivation key is specific to one of the operators.
- View Dependent Claims (5, 6, 7, 8, 9, 10)
- - 5. The method of claim 1 wherein decrypting the encrypted transport key at the payment terminal with the access key comprises:
    - decrypting the encrypted transport key with the access key at the payment terminal upon receipt, and storing the decrypted transport key in a secure storage of the payment terminal;
      
      orstoring the encrypted transport key at the payment terminal, and decrypting the stored encrypted transport key with the access key at the payment terminal when the decrypted transport key is required for the decryption of the encrypted first encryption key to perform the payment transaction with the payment terminal.
  - 6. The method of claim 1 wherein decrypting the encrypted first encryption key at the payment terminal with the decrypted transport key comprises:
    - decrypting the encrypted first encryption key with the decrypted transport key at the payment terminal upon receipt or input, and storing the decrypted first encryption key in a secure storage of the payment terminal;
      
      orstoring the encrypted first encryption key at the payment terminal upon receipt or input, and decrypting the stored encrypted first encryption key with the decrypted transport key at the payment terminal when the decrypted first encryption key is required for obtaining the second encryption key using the decrypted first encryption key to perform the payment transaction with the payment terminal.
  - 7. The method of claim 1 further comprising:
    - providing a first usage mode in which transaction data is exchanged between the payment terminal and one of the operators;
      
      providing a second usage mode in which transaction data is exchanged between the payment terminal and the payment provider;
      
      assigning either the first usage mode or the second usage mode to each of the plurality of operators;
      
      upon one of the operators of the plurality of operators starting to use the payment terminal, automatically selecting the first usage mode or the second based upon an identity of the operator; and
      
      performing the transaction at the payment terminal using the first usage mode or the second usage mode that is automatically selected.
  - 8. The method of claim 1 further comprising:
    - deriving the access key used by the controlling entity for symmetric encryption from a master-access key specific to the controlling entity using the identification number of the payment terminal.
  - 9. The method of claim 1 further comprising:
    - receiving the access key at the payment terminal from a terminal provider in a confidentiality-secured manner; and
      
      storing the access key at the payment terminal.
  - 10. The method of claim 9 further comprising:
    - deriving the access key, by the terminal provider, from a master-access key specific to the controlling entity based upon the identification number of the payment terminal; and
      
      transmitting the master-access key from the controlling entity to the terminal provider in a confidentiality-secured manner.

2. (canceled)

3. A method of configuring a payment terminal to be shared by a plurality of operators with cryptographic segregation between different operators, the method comprising:
- deriving, at a payment provider, a transport key from a master-transport key using an identification number of the payment terminal;
  
  transmitting the transport key from the payment provider to a controlling entity associated with the payment terminal in a confidentiality-secured manner;
  
  symmetrically encrypting, by the controlling entity, the transport key with an access key;
  
  transmitting the encrypted transport key to the payment terminal, wherein the controlling entity controls usage of the payment terminal in an operator-selective manner by the transmission of the encrypted transport key, and the master-transport key is specific to one of the operators;
  
  decrypting the encrypted transport key at the payment terminal with the access key;
  
  deriving, by the payment provider, a first encryption key from a base-derivation key using the identification number of the payment terminal;
  
  symmetrically encrypting the first encryption key with the transport key;
  
  transmitting the encrypted first encryption key to the payment terminal;
  
  decrypting the encrypted first encryption key at the payment terminal with the decrypted transport key; and
  
  deriving, both at the payment provider and at the payment terminal, a second encryption key from the first encryption key using a transaction-specific number associated with a payment transaction, when performing the payment transaction with the payment terminal,wherein the transport key, the first encryption key, and the second encryption key are specific to one of the operators and to the payment terminal, and the base-derivation key is specific to one of the operators.

4. A method of configuring a payment terminal to be shared by a plurality of operators with cryptographic segregation between different operators, the method comprising:
- receiving an encrypted transport key as manual input into the payment terminal, wherein a controlling entity controls usage of the payment terminal in an operator-selective manner based upon the transport key;
  
  decrypting the encrypted transport key at the payment terminal with an access key;
  
  deriving, by a payment provider, a first encryption key from a base-derivation key using an identification number of the payment terminal;
  
  symmetrically encrypting the first encryption key with the transport key;
  
  transmitting the encrypted first encryption key to the payment terminal;
  
  decrypting the encrypted first encryption key at the payment terminal with the decrypted transport key; and
  
  deriving, both at the payment provider and at the payment terminal, a second encryption key from the first encryption key using a transaction-specific number associated with a payment transaction, when performing the payment transaction with the payment terminal,wherein the transport key, the first encryption key, and the second encryption key are specific to one of the operators and to the payment terminal, and the base-derivation key is specific to one of the operators.

11. A system for configuring a payment terminal to be shared by a plurality of operators with cryptographic segregation between different operators, the system comprising:
- at least one processor; and
  
  a memory coupled to the at least one processor, the memory including program code configured to be executed by the at least one processor to cause the system to;
  
  transmit a master-transport key from a payment provider to a controlling entity associated with the payment terminal in a confidentiality-secured manner;
  
  derive, both at the payment provider and at the controlling entity, a transport key from the master-transport key using an identification number of the payment terminal;
  
  symmetrically encrypt, by the controlling entity, the transport key using an access key specific to the payment terminal;
  
  transmit the encrypted transport key to the payment terminal, wherein the controlling entity controls usage of the payment terminal in an operator-selective manner by the transmission of the encrypted transport key, and the master-transport key is specific to one of the operators;
  
  decrypt the encrypted transport key at the payment terminal with the access key;
  
  derive, by the payment provider, a first encryption key from a base-derivation key using the identification number of the payment terminal;
  
  symmetrically encrypt the first encryption key with the transport key;
  
  transmit the encrypted first encryption key to the payment terminal;
  
  decrypt the encrypted first encryption key at the payment terminal with the decrypted transport key; and
  
  derive, both at the payment provider and at the payment terminal, a second encryption key from the first encryption key using a transaction-specific number associated with a payment transaction, when performing the payment transaction with the payment terminal,wherein the transport key, the first encryption key, and the second encryption key are specific to one of the operators and to the payment terminal, and the base-derivation key is specific to one of the operators.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 11 wherein the program code configured to be executed by the at least one processor to cause the system to decrypt the encrypted transport key at the payment terminal with the access key comprises:
    - program code configured to be executed by the at least one processor to cause the system to;
      
      decrypt the encrypted transport key with the access key at the payment terminal upon receipt, and store the decrypted transport key in a secure storage of the payment terminal;
      
      orstore the encrypted transport key at the payment terminal, and decrypt the stored encrypted transport key with the access key at the payment terminal when the decrypted transport key is required for the decryption of the encrypted first encryption key to perform the payment transaction with the payment terminal.
  - 16. The system of claim 11 wherein the program code configured to be executed by the at least one processor to cause the system to decrypt the encrypted first encryption key at the payment terminal with the decrypted transport key comprises:
    - program code configured to be executed by the at least one processor to cause the system to;
      
      decrypt the encrypted first encryption key with the decrypted transport key at the payment terminal upon receipt or input, and store the decrypted first encryption key in a secure storage of the payment terminal;
      
      orstore the encrypted first encryption key at the payment terminal upon receipt or input, and decrypt the stored encrypted first encryption key with the decrypted transport key at the payment terminal when the decrypted first encryption key is required for obtaining the second encryption key using the decrypted first encryption key to perform the payment transaction with the payment terminal.
  - 17. The system of claim 11 further comprising program code configured to be executed by the at least one processor to cause the system to:
    - provide a first usage mode in which transaction data is exchanged between the payment terminal and one of the operators;
      
      provide a second usage mode in which transaction data is exchanged between the payment terminal and the payment provider;
      
      assign either the first usage mode or the second usage mode to each of the plurality of operators;
      
      upon one of the operators of the plurality of operators starting to use the payment terminal, automatically select the first usage mode or the second based upon an identity of the operator; and
      
      perform the transaction at the payment terminal using the first usage mode or the second usage mode that is automatically selected.
  - 18. The system of claim 11 further comprising program code configured to be executed by the at least one processor to cause the system to:
    - derive the access key used by the controlling entity for symmetric encryption from a master-access key specific to the controlling entity using the identification number of the payment terminal.
  - 19. The system of claim 11 further comprising program code configured to be executed by the at least one processor to cause the system to:
    - receive the access key at the payment terminal from a terminal provider in a confidentiality-secured manner; and
      
      store the access key at the payment terminal.
  - 20. The system of claim 19 further comprising program code configured to be executed by the at least one processor to cause the system to:
    - derive the access key, by the terminal provider, from a master-access key specific to the controlling entity based upon the identification number of the payment terminal; and
      
      transmit the master-access key from the controlling entity to the terminal provider in a confidentiality-secured manner.

12. (canceled)

13. A system for configuring a payment terminal to be shared by a plurality of operators with cryptographic segregation between different operators, the system comprising:
- at least one processor; and
  
  a memory coupled to the at least one processor, the memory including program code configured to be executed by the at least one processor to cause the system to;
  
  derive, at a payment provider, a transport key from a master-transport key using an identification number of the payment terminal;
  
  transmit the transport key from the payment provider to a controlling entity associated with the payment terminal in a confidentiality-secured manner;
  
  symmetrically encrypt, by the controlling entity, the transport key with an access key;
  
  transmit the encrypted transport key to the payment terminal, wherein the controlling entity controls usage of the payment terminal in an operator-selective manner by the transmission of the encrypted transport key, and the master-transport key is specific to one of the operators;
  
  decrypt the encrypted transport key at the payment terminal with the access key;
  
  derive, by the payment provider, a first encryption key from a base-derivation key using the identification number of the payment terminal;
  
  symmetrically encrypt the first encryption key with the transport key;
  
  transmit the encrypted first encryption key to the payment terminal;
  
  decrypt the encrypted first encryption key at the payment terminal with the decrypted transport key; and
  
  derive, both at the payment provider and at the payment terminal, a second encryption key from the first encryption key using a transaction-specific number associated with a payment transaction, when performing the payment transaction with the payment terminal,wherein the transport key, the first encryption key, and the second encryption key are specific to one of the operators and to the payment terminal, and the base-derivation key is specific to one of the operators.

14. A system for configuring a payment terminal to be shared by a plurality of operators with cryptographic segregation between different operators, the system comprising:
- at least one processor; and
  
  a memory coupled to the at least one processor, the memory including program code configured to be executed by the at least one processor to cause the system to;
  
  receive an encrypted transport key as manual input into the payment terminal, wherein a controlling entity controls usage of the payment terminal in an operator-selective manner based upon the transport key;
  
  decrypt the encrypted transport key at the payment terminal with an access key;
  
  derive, by a payment provider, a first encryption key from a base-derivation key using an identification number of the payment terminal;
  
  symmetrically encrypt the first encryption key with the transport key;
  
  transmit the encrypted first encryption key to the payment terminal;
  
  decrypt the encrypted first encryption key at the payment terminal with the decrypted transport key; and
  
  derive, both at the payment provider and at the payment terminal, a second encryption key from the first encryption key using a transaction-specific number associated with a payment transaction, when performing the payment transaction with the payment terminal,wherein the transport key, the first encryption key, and the second encryption key are specific to one of the operators and to the payment terminal, and the base-derivation key is specific to one of the operators.

21. A computer program product for configuring a payment terminal to be shared by a plurality of operators with cryptographic segregation between different operators, the computer program product comprising:
- a non-transitory computer readable storage medium; and
  
  instructions stored on the non-transitory computer readable storage medium that, when executed by a processor, cause the processor to;
  
  transmit a master-transport key from a payment provider to a controlling entity associated with the payment terminal in a confidentiality-secured manner;
  
  derive, both at the payment provider and at the controlling entity, a transport key from the master-transport key using an identification number of the payment terminal;
  
  symmetrically encrypt, by the controlling entity, the transport key using an access key specific to the payment terminal;
  
  transmit the encrypted transport key to the payment terminal, wherein the controlling entity controls usage of the payment terminal in an operator-selective manner by the transmission of the encrypted transport key, and the master-transport key is specific to one of the operators;
  
  decrypt the encrypted transport key at the payment terminal with the access key;
  
  derive, by the payment provider, a first encryption key from a base-derivation key using the identification number of the payment terminal;
  
  symmetrically encrypt the first encryption key with the transport key;
  
  transmit the encrypted first encryption key to the payment terminal;
  
  decrypt the encrypted first encryption key at the payment terminal with the decrypted transport key; and
  
  derive, both at the payment provider and at the payment terminal, a second encryption key from the first encryption key using a transaction-specific number associated with a payment transaction, when performing the payment transaction with the payment terminal,wherein the transport key, the first encryption key, and the second encryption key are specific to one of the operators and to the payment terminal, and the base-derivation key is specific to one of the operators.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amadeus S.A.S. (Amadeus Global Travel Distribution S.A.)
Original Assignee
Amadeus S.A.S. (Amadeus Global Travel Distribution S.A.)
Inventors
Tahon, Mathieu, Bosco, Lorenzo, Hirel, Nicolas, Milani, Veronica, Diana, Remi

Granted Patent

US 9,373,113 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06Q 20/20   Point-of-sale [POS] network...

G06Q 20/401   Transaction verification

G06Q 2220/10   Usage protection of distrib...

H04L 2209/24   Key scheduling, i.e. genera...

H04L 9/0861   Generation of secret inform...

H04L 9/14   using a plurality of keys o...

PAYMENT TERMINAL SHARING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

PAYMENT TERMINAL SHARING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links